- [Landon] Welcome to The CYBER5 where security experts and leaders answer five burning questions on one hot topic on actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation and cyber threat intelligence. I'm your host Landon Winkelvoss, Co-founder of Nisos, Managed Intelligence company. In this episode I talk with Chief Information Security Officer of MongoDB, Lena Smart. We talk about what security teams have to do to truly enable business and be a partner to information technology, engineering, legal and human resources. We discuss how to deal with shadow IT within different departments, understand culture of different departments, and how to suspend a risk. Stay with us. Lena, welcome to the show. Would you mind sharing a little about your background with our listeners please? - [Lena] Sure. Thanks Landon. I'm the global CISO here at MongoDB. I've been here for just over two years. Last year has obviously been interesting and I hope that everyone out there is doing okay, having come through a pandemic. So my background is probably not as normal as maybe others. I left school when I was 16. So I'm self-taught. I've worked in a shipyard, I've worked in power plants, I've worked in banking, private banking, and I'm now working in tech which I really enjoy. These are my opinions. These are not those my employer, MongoDB. - [Landon] Super and we're looking forward to talking about this. In today's topic we're gonna be talking about the best practices for security that enable the business. There's a lot of companies that, where you've been in the past, have grown and scaled. How have you positioned security to enable the business? I guess the, kind of a little bit background, I've talked to a number of folks. A lot of folks on the CIO shop have said that security can be a disabler of business. I think we've all probably heard that sometime in our careers. How do we kind of flip that script a little bit and enable the business? - [Lena] That is great point. I've heard that as well and I'm kind of aghasted at that mentality, but there we are. And, I mean, fundamentally, I want to make it easy to do the right thing and difficult to do the wrong thing. And I believe we can do that via education and of course, automation of processes. So, you know, we're looking for mechanisms that allow our users to back out of doing the wrong thing. If you click on a link, the bottom doesn't fall out of your world. We can put a process behind that that says, "Okay, you've clicked on this link. "Are you sure you want to go there?" You know, you're giving people a chance to back out of doing that wrong thing rather than penalizing someone. And we're trying to, as I said, make it easy to do the right thing and difficult to do the wrong thing. And then in terms of enabling the business, obviously communication is key. So we have regular meetings with our legal department where we go over things like our technical, operational and security measures. We work with HR when we're dealing with obviously personnel-type issues, maybe healthcare records and, you know, people are wondering where their data is, and that's with obviously our internal personnel. I also meet with the C-suite with the CTO, the CFO and other C-suite, just to get a good understanding of what's happening from the business standpoint. Obviously very close with our sales folks as well. And I deal a lot with our customers who I love. And I really love talking with the customers and understanding what their needs are because that helps me build a security team that's really going to help do my business. - [Landon] Is shadow IT a large concern when you're at the scale and size? Because as you know, different parts of the business just want to get things done faster, right? I'm sure you've had many times in your career where marketing or sales or the development shop they just want to get it done and not have to really kind of take security into account. They just do what they need to get done. And then all of a sudden you have problems, right? And then they call security. How have you dealt with those types of challenges? And really, you know, at the end of the day, this is about risk. So how do you kind of reduce risk? - [Lena] Well, again, it is being that enabler not the disabler. And it's also down to communication and relationships. So we've built really good relationships with our technical operations people, our IT people, people who are at the sharp end of the pointy stick when it comes to supporting our internal users. And we also allow people to build relationships within the security groups. We have something called a Security Champions Program. There's probably about 80, maybe 85 members within Mongo DB and that's global membership. And these are people who have an interest in security and they're basically the security voices for their working group, for their business unit or their team. And that actually helps us a lot with shadow IT because a lot of these folks are, again, at the sharp end of the business. They are the folks who know their team or perhaps evaluating a new HR system or a new billing system or any system that's going to touch our email system, for example. And they make us aware quite a lot of the applications that are coming down the pike. And that's the kind of the shadow IT part of it. But we've also made it very clear to the entire company. Everyone is very much aware of the process that's required. We've tried to make that as quick as possible because if you don't, people are just going to find a way around it. And so we've worked with procurement and the legal department and the IT department so that if people want to, for example, add a new add-on to Chrome, then it's a series of easy steps to get that done and get it blessed and tested. So, you know, we test these applications, we test these add-ons and we even get into working with procurement on third party risk and cutting down that supply chain risk as well. So we've actually not got touch wood. We don't believe we have a shadow IT problem. I don't think it is a large concern because we've very open about the process. We've made the process easy and quick and more importantly, we've communicated that process to our internal users and business units so that they're aware of what that process is. - [Landon] So you talked a little bit about process there. Now let's focus in really around when events happen, right? Because I think anytime you get to a scale of a business over 500 people or 1000 people, just by the law of averages, you're going to certainly and potentially have security incidents. The question really is, how do you get that by when security matters actually occur? And I've talked to a lot of folks. You know, they have more of a mentality of training and saying, "See something, say something." Is it more than that or is that a good rule of thumb to be consistent with? - [Lena] Well, I do like the see something, say something. That definitely works. But you also have to report back if someone has seen something and they've said something. They usually want closure on what they've seen and what they've said. And I think it's important that people are included in the aftermath where possible, obviously. So for example, if we're doing a fishing exercise and people have clicked on the link where they've identified something as fishing, and we all know that fishing is the way into a company. It's how you're going to spread around somewhere quickly. Then we make sure that people know that they did the right thing. They've clicked on a link that could have been devastating to our company but because they were aware and because they saw something and they said something, they've helped not have an issue with that possible piece of malware. And that kind of gives them closure. And we actually get some really good feedback from our internal users on, "We clicked on a link and we thought this was spam "and then we were told it was spam." And that was good. But you also want to close that loop and have a kind of feedback loop back to the person who did report that error. But in any event, buy-in from the business has to come from the top. So, you know, I've talked about how important it is to engage your users and customers but really security and awareness has to come from the top. The trust of our customers and the trust of our customer data is absolutely paramount to successful business plan. And so we have a good relationship with the board of directors. Most of them are very technical so we get some very good feedback from them. Obviously we have got full support from our C-suite and we do things like tabletop exercises so that people are aware of the rules and responsibilities when it comes to being engaged in the whole security process. - [Landon] When you talk about working between the business units, like you were just mentioning, what are the unique sensitivities between departments that you would advise on? So let's say you're given a cybersecurity CISO 101 class, most young security professionals are very technically focused and not really oriented toward what a marketing professional or sales professional or even sometimes even an IT professional from that regards. How would you kind of advise them just to be aware of the unique sensitivities? - [Lena] Don't be seen as the team that says "No" and moves on. That's unfortunately what a lot of systems and security teams have been seen as. And so that takes communication. So be tuned into what each business unit needs, attend their quarterly business reviews or QPRs, understand their specific needs. HR has got completely different needs than the front desk security folks. Understand what those differences are and help them out when they need help. Don't leave people dangling. And that just helps build positive relationships. You know, there's a saying, "Walk a mile in someone's shoes "to learn where they're going." That is never sure when it comes to security. I think unfortunately, some security folks make an awful lot of assumptions. They just assume that everyone lives in the security world that we live in. And they don't. You know, they have other things to do with their time. And so our job, again, is to try and make things easy and make their life easier when it comes to dealing with security. You know, don't live in this world to feed uncertainty and doubt. And again, this is where I believe our Security Champion Program really helps us because we have employees that vested interest in learning more about security and more importantly, communicating and being the security voice for their own group. So I think that's very important. - [Landon] So you mentioned the Security Champion Program. Did that come from the top? It was probably your idea and it probably was blessed off by the top. I mean, 800 people is a lot of people to buy into security, right? So kind of walk through just at a high level how you got that kind of buy-in and I guess what have been the results and positive outcomes that have come from that? - [Lena] So this is one of the first things that I started when I joined MongoDB a couple of years ago. And we were going great guns and then COVID happened. And so we kind of stopped it because people had other things to worry about. We just kicked off again about four months ago. As I said, we've got over 80 volunteers, 80 champions. We made sure that their supervisor was notified that they were joining us because obviously they're giving up one to two hours a week of their time. And we have things like capture the flags, we've got a book club, a security book club. We've just get a whole bunch of things that are all related to security because they're volunteering for this. This is not a mandatory, you know, you have to attend this. This is something that people have wanted to do on their own. They are much more vested in what they can learn. And some of the benefits have been, I think a reduction in shadow IT, increase in overall awareness of security. They will take part in some of our tabletop exercises so they understand what roles and responsibilities are for each group. So it's vast and wide ranging. And it is really for, I would say quite a . You know, I spend maybe one to two hours a week from people who want learn new things anyway. Where we offer classes, we are showing people what rainbow tables are and how you can hack things and how you can keep your Wi-Fi at home secure. So we make it relevant to their own personal circumstances as well. - [Landon] Well, you mentioned shadow IT earlier. Thinking about not only MongoDB shadow IT but of course, you know, these are issues that certainly deal with suppliers and their shadow IT and certainly, depending on who the vendors, that could certainly have dire consequences for their clients and partners. I'm just curious how you think about security beyond the four walls of your perimeter. Particularly for a medium-sized business with suppliers and vendors. - [Lena] Yeah. So obviously I don't want to belabor the point of the SolarWinds because I think we've gone through that enough. But you would be surprised how many links you have to say, companies that your security team just isn't even aware of. And so we've hired some folks in our team and their job is to identify management team and secure our third-party vendor links. I know that that seems probably like a bit of overkill but I think that supply chain management in terms of risk management, is one of the things that's vastly overlooked. I think people just assume, "Well, if we're secure, everyone else is secure." When it's complete opposite, I believe. So just be aware of your supply chain, perform security checks for onboarding new vendors, and then understand who your critical vendors are and what would happen if they got hacked. Could you be used as a pivot if someone else got hacked? And as I said, we just hired some experts to actually do this. - [Landon] If you were in charge at the executive levels, we just saw some legislation come down where third party risk certainly was quite the issue. What kind of safeguards and policies and even technologies are the most helpful. You know, what's a technical aspect of how this problem can be solved? - [Lena] Well, I think what we are doing here where we've actually got some experts in to map out links back into MongoDB, for example, via third parties, via other vendors, I think is very important. But I think look at all the different aspects of the supply chain management and apply reasonable levels of risks to each of those findings. I think they'll find that there's clean-up work to be done. And there's got to be an understanding that this isn't going to be a one month, two month job. We reckon this will take us probably 12 months to work through at least. And it's not that we feel we're insecure. We do know the main vendors and the different relationships that we have. And we obviously have a very closed environment when it comes to where we keep our customer data, for example. But you've talked a bit shadow IT. I'm just concerned that is there a vendor that's got access into something that we weren't aware of. And we try and be as transparent and as honest as possible. I just want to make sure that we are looking under every rock if that is possible to secure these third-party vendor relationships and reduce the risk as much as possible. - [Landon] Final sub-question of this. How much is executive leadership also kind of getting involved in looking and prioritizing those types of critical vendors. - [Lena] In terms of our C-suite deciding who those vendors are, do you mean? - [Landon] More or less. I mean, I guess. Would you think that this is now acutely aware where it's going to ultimately get the resources it needs? - [Lena] I think it will. I mean, I think obviously I'm extremely lucky and I've got a C-suite that genuinely understands how important security is and they've given me free reign to hire who we need. So I think that it's important to understand. I don't think that I'm going to see my CEO phone me up and say, "So-and-so just got hacked. "Should we fire them as a vendor?" You know, I don't think that will happen. I think what's more likely to happen is we need to make sure we've got responses whenever customers ask, "Do you use X, Y, and Z?" And I think that's important. That's why it's very important to understand where your relationships are with those third parties. Because then you can get your kind response out as quickly as possible. You can be transparent and honest and open very quickly. You're not scrambling for answers when you have this information at your fingertips. - [Landon] Lena, you're doing great things at MongoDB. We appreciate your time and thank you for joining us. - [Lena] Thank you very much. Take care. Bye. - [Landon] For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high-state security investigations. Without the value the team provides day in, day out, this podcast would not be possible. Thank you for listening.